formbook | 1bd1c6bae8d74df3a44a814fa9f81f1988334317602c2d5f6d468617a14817ed

General

Target

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
Size

410KB
MD5

6d376f79e076fe8e311efac7bbc5499a
SHA1

2193c942e7d02b4627aa0802fb0107dba9b0068f
SHA256

1bd1c6bae8d74df3a44a814fa9f81f1988334317602c2d5f6d468617a14817ed
SHA512

c122aee705ae255855eacf61043969990e33fdeb7188356432e67bea2b1b983c485dd3b4a426bded895d4837785687242a5a3c242e2a45fe31abe05accfbd937
SSDEEP

12288:z4/ucsCfrLEnFHncFQhNe0GM1s65FHbLiSvU6Oui4am3YaCYmO2VdjVTfPKkD0Qs:z4/uY4nlcWNe0KOg2

Score

10^/10

formbook jo agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

jo

Decoy

udcrpf.win

bionicsvr.com

mitesserentferner.com

testtestsmbretail9517.info

wapatvvivolntrernet.com

tribemembers.com

buildings.exchange

progaero.com

aquifuera.com

unglockinge.com

theeoschronicles.com

xn--910ba670d24ddupq1a.com

nihalin.com

indivisiblesb.info

talitagustosa.com

zblogasp.com

shanshanjiu.com

clevel-executive-mail-suite.net

cover-necessary.com

devfunportal.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4540-9-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/4540-12-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/400-5-0x0000000005A40000-0x0000000005A9C000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exevbc.execmstp.exe

description	pid	process	target process
PID 400 set thread context of 4540	400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 4540 set thread context of 3516	4540	vbc.exe	Explorer.EXE
PID 4780 set thread context of 3516	4780	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe

pid	process
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exevbc.execmstp.exe

pid process

400 6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
4540 vbc.exe
4540 vbc.exe
4540 vbc.exe
4780 cmstp.exe
4780 cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exevbc.execmstp.exe

description	pid	process
Token: SeDebugPrivilege	400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
Token: SeDebugPrivilege	4540	vbc.exe
Token: SeDebugPrivilege	4780	cmstp.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3516 Explorer.EXE

pid	process
3516	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 400 wrote to memory of 4540	400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 400 wrote to memory of 4540	400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 400 wrote to memory of 4540	400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 400 wrote to memory of 4540	400	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4780	3516	Explorer.EXE	cmstp.exe
PID 3516 wrote to memory of 4780	3516	Explorer.EXE	cmstp.exe
PID 3516 wrote to memory of 4780	3516	Explorer.EXE	cmstp.exe
PID 4780 wrote to memory of 424	4780	cmstp.exe	cmd.exe
PID 4780 wrote to memory of 424	4780	cmstp.exe	cmd.exe
PID 4780 wrote to memory of 424	4780	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-18-0x00000000750BE000-0x00000000750BF000-memory.dmp

Filesize
4KB

Download
memory/400-2-0x0000000005D20000-0x000000000624C000-memory.dmp

Filesize
5.2MB

Download
memory/400-21-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/400-3-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/400-4-0x00000000058A0000-0x00000000058A8000-memory.dmp

Filesize
32KB

Download
memory/400-5-0x0000000005A40000-0x0000000005A9C000-memory.dmp

Filesize
368KB

Download
memory/400-6-0x00000000084A0000-0x00000000084D0000-memory.dmp

Filesize
192KB

Download
memory/400-8-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/400-19-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/400-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

Filesize
4KB

Download
memory/400-1-0x0000000000E90000-0x0000000000EFC000-memory.dmp

Filesize
432KB

Download
memory/3516-29-0x00000000083F0000-0x000000000857E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-22-0x00000000028F0000-0x00000000029D9000-memory.dmp

Filesize
932KB

Download
memory/3516-25-0x00000000083F0000-0x000000000857E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-26-0x00000000083F0000-0x000000000857E000-memory.dmp

Filesize
1.6MB

Download
memory/3516-14-0x00000000028F0000-0x00000000029D9000-memory.dmp

Filesize
932KB

Download
memory/4540-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4540-10-0x0000000001450000-0x000000000179A000-memory.dmp

Filesize
3.3MB

Download
memory/4540-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4540-13-0x0000000001410000-0x0000000001424000-memory.dmp

Filesize
80KB

Download
memory/4780-15-0x0000000000C30000-0x0000000000C46000-memory.dmp

Filesize
88KB

Download
memory/4780-17-0x0000000000C30000-0x0000000000C46000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads